#include<iostream>
#include<cstring>        // for strcat()
#include<io.h>
#include<utmp.h>
#include<fcntl.h>
#include<stdio.h>
#include<unistd.h>
#include<string.h>
#include<time.h>
#include <stdlib.h>
#include <uuid/uuid.h>
#include "syslog.h"
#include "struct.h"
#include <sqlite3.h>
#include <algorithm>
#include <string.h>
#include <net/if.h>
#include <arpa/inet.h>
#include <sys/ioctl.h>
#include<sys/unistd.h>
using namespace std;

char *ltrim(char *str)
{	
	char *ptr;
	for(ptr=str; *ptr == 32; ptr++) ;
	return (strcpy(str,ptr));
}
char *rtrim(char *str)
{	
	int i;     
	for(i=(int)strlen(str)-1; str[i] == 32 && i>=0; str[i--]=0);
	return(str);
}
char *ltrim1(char *str)
{	
	char *ptr;
	for(ptr=str; *ptr == 40; ptr++) ;
	return (strcpy(str,ptr));
}
char *rtrim1(char *str)
{	
	int i;     
	for(i=(int)strlen(str)-1; str[i] == 41 && i>=0; str[i--]=0);
	return(str);
}
int GetLocalIp(char *ipbuf, int size)
{
	int i=0;
	int sockfd;
	struct ifconf ifc;
	char buf[1024]={0};
	//char ipbuf[20]={0};
	struct ifreq *ifr;
 
	ifc.ifc_len = 1024;
	ifc.ifc_buf = buf;
 
	if((sockfd = socket(AF_INET, SOCK_DGRAM,0))<0)
	{
	    printf("socket error\n");
		return -1;
	}
	ioctl(sockfd,SIOCGIFCONF, &ifc);
	ifr = (struct ifreq*)buf;
 
	for(i=(ifc.ifc_len/sizeof(struct ifreq)); i > 0; i--)
	{
        if(strcmp(ifr->ifr_name, "lo") == 0)
        {
            ifr = ifr +1;
            continue;
        }
		//printf("net name: %s\n",ifr->ifr_name);
		inet_ntop(AF_INET,&((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr,ipbuf,size);
		//printf("ip: %s \n",ipbuf);
		ifr = ifr +1;
        break;
	}
	return 0;
}


time_t string2time_t(string string_time)
{
    tm tm1;
    memset(&tm1, 0, sizeof(tm1));
    time_t time1;
 
   sscanf(string_time.c_str(), "%d-%d-%d %d:%d:%d",
        &(tm1.tm_year),
        &(tm1.tm_mon),
        &(tm1.tm_mday),
        &(tm1.tm_hour),
        &(tm1.tm_min),
        &(tm1.tm_sec));
 
    tm1.tm_year -= 1900;
    tm1.tm_mon -= 1;
 
    time1 = mktime(&tm1);
 
    return time1;
 
}

void SetabnormalLog(sqlite3 *db)
{
	int ret;
	char ** dbResult = NULL;
	char * errMsg = NULL;
	char ** dbResult2 = NULL;
	char * errMsg2 = NULL;
	char ** dbResult1 = NULL;
	char * errMsg1 = NULL;
	int nRow, nRow1,nRow2;
	int nColumn, nColumn1,nColumn2;
	int index, index1,index2;
	int i,j;
	string strbegintime;
	string strendtime;
	time_t begintimet,endtimet;
	string user_name;
	char getTimesql[256];
	memset(getTimesql,0,256);
	strcpy(getTimesql,"SELECT logon_name,begin_time,end_time from logo_suc_log");
	ret = sqlite3_get_table(db, getTimesql, &dbResult, &nRow,&nColumn, &errMsg);
	if(ret == SQLITE_OK)
	{
		index = nColumn;

		for (i = 0; i < nRow; i++)
		{
			for (j = 0; j < nColumn; j++)
			{
				//字段名:dbResult[j], 值:dbResult[index];
				string strfilename(dbResult[j]);
				if(strcasecmp(strfilename.c_str(),"begin_time")==0)
				{
					strbegintime=(dbResult[index]);
					

				}
				if(strcasecmp(strfilename.c_str(),"end_time")==0)
				{
					strendtime=(dbResult[index]);
					

				}
				if(strcasecmp(strfilename.c_str(),"logon_name")==0)
				{
					user_name=(dbResult[index]);
					

				}
				index++;
			}

			if(strendtime.length()!=0)
			{
				time_t timet = string2time_t(strendtime);

				endtimet=timet;

			}
			if(strbegintime.length()!=0)
			{
				time_t timet1 = string2time_t(strbegintime);

				begintimet=timet1;

			}
			char getInstalldatesql[256];
			memset(getInstalldatesql,0,256);
			strcpy(getInstalldatesql,"SELECT start_date from linux_install_info");
			cout<<getInstalldatesql<<endl;
			int ret1 = sqlite3_get_table(db, getInstalldatesql, &dbResult1, &nRow1,&nColumn1, &errMsg1);
			if(ret1==SQLITE_OK)
			{
				index1 = nColumn1;

				for (int k = 0; k < nRow1; k++)
				{
					for (int l = 0; l < nColumn1; l++)
					{
						//字段名:dbResult[j], 值:dbResult[index];
						string strfilename(dbResult1[l]);
						if(strcasecmp(strfilename.c_str(),"start_date")==0)
						{
							string strdate=(dbResult1[index1]);
							time_t install_timet=string2time_t(strdate);

							if(strendtime.length()!=0&&strbegintime.length()!=0)
							{
								if(begintimet<install_timet&&install_timet<endtimet)
								{
									//cout<<strbegintime<<endl;
									//cout<<strendtime<<endl;
									//cout<<strdate<<endl;
									//cout<<"1---"<<begintimet<<"---"<<endtimet<<"---"<<install_timet<<endl;
									char updatesql[256];
									memset(updatesql,0,256);
									sprintf(updatesql,"update linux_install_info set abnormal_flag='1' where start_date='%s'",strdate.c_str());
									char *errMsg7;
									int ret7 = sqlite3_exec(db, updatesql, NULL, NULL, &errMsg7);

								}

							}
							if(strbegintime.length()!=0&&strendtime.length()==0)
							{
								if(begintimet<install_timet)
								{
									//cout<<"2---"<<begintimet<<"----"<<install_timet<<"---"<<endl;
									char updatesql[256];
									memset(updatesql,0,256);
									sprintf(updatesql,"update linux_install_info set abnormal_flag='1' where start_date='%s'",strdate.c_str());
									char *errMsg7;
									int ret7 = sqlite3_exec(db, updatesql, NULL, NULL, &errMsg7);

								}
							}
						}

						index1++;
					}
				}
				sqlite3_free_table(dbResult1);
			}
			char getcommandsql[256];
			memset(getcommandsql,0,256);
			strcpy(getcommandsql,"SELECT date from linux_user_command");
		//	cout<<getcommandsql<<endl;
			int ret2 = sqlite3_get_table(db, getcommandsql, &dbResult2, &nRow2,&nColumn2, &errMsg2);
			if(ret2==SQLITE_OK)
			{
				index2 = nColumn2;

				for (int kk = 0; kk < nRow2; kk++)
				{
					for (int ll = 0; ll < nColumn2; ll++)
					{
						//字段名:dbResult[j], 值:dbResult[index];
						string strfilename(dbResult2[ll]);
						
						if(strcasecmp(strfilename.c_str(),"date")==0)
						{
							string strdate=(dbResult2[index2]);
							//cout<<strdate<<endl;
							time_t install_timet=string2time_t(strdate);
							
							if(strendtime.length()!=0&&strbegintime.length()!=0)
							{
								if(begintimet<install_timet&&install_timet<endtimet)
								{	//cout<<begintimet<<endtimet<<install_timet<<endl;
									
									char updatesql[256];
									memset(updatesql,0,256);
									sprintf(updatesql,"update linux_user_command set abnormal_flag='1' where date='%s'and username='%s'",strdate.c_str(),user_name.c_str());
									char *errMsg7;
									int ret7 = sqlite3_exec(db, updatesql, NULL, NULL, &errMsg7);

								}

							}
							if(strbegintime.length()!=0&&strendtime.length()==0)
							{
								if(begintimet<install_timet)
								{
									//cout<<begintimet<<install_timet<<endl;
									
									char updatesql[256];
									memset(updatesql,0,256);
									sprintf(updatesql,"update linux_user_command set abnormal_flag='1' where date='%s'and username='%s'",strdate.c_str(),user_name.c_str());
									char *errMsg7;
									int ret7 = sqlite3_exec(db, updatesql, NULL, NULL, &errMsg7);

								}
							}
						}

						index2++;
					}
				}
				sqlite3_free_table(dbResult2);
			}
		}
		sqlite3_free_table(dbResult);
	}
}
void GetSucLog(sqlite3 *db,char * Mac, char *eventId)
{
	if(db == NULL)
		return ;
	int ret1;
	char ** dbResult = NULL;
	char * errMsg = NULL;
	char ** dbResult1 = NULL;
	char * errMsg1 = NULL;
	int nRow, nRow1;
	int nColumn, nColumn1;
	int index, index1;
	int i,j;
	char logon_type[128];
	char logon_ip[64];
	char logon_username[256];
	char prc_id[64];
	char begin_time[32];
	char end_time[32];
	char id[36];	
	char Getsucsql[1024];
	memset(Getsucsql,0,1024);
	strcpy(Getsucsql,"SELECT * from linux_logon_log_bysecure where abnormal_flag='1'and logon_rs='success'");
	int ret = sqlite3_get_table(db, Getsucsql, &dbResult, &nRow,&nColumn, &errMsg);
	if(ret == SQLITE_OK)
	{
		index = nColumn;

		for (i = 0; i < nRow; i++)
		{
			for (j = 0; j < nColumn; j++)
			{
				//字段名:dbResult[j], 值:dbResult[index];
				string strfilename(dbResult[j]);
				if(strcasecmp(strfilename.c_str(),"id")==0)
				{
					string strid((dbResult[index]));
					memset(id,0,36);
					strcpy(id,strid.c_str());
				}
				if(strcasecmp(strfilename.c_str(),"prc_id")==0)
				{
					string strid((dbResult[index]));
					memset(prc_id,0,64);
					strcpy(prc_id,strid.c_str());
				}
				if(strcasecmp(strfilename.c_str(),"logon_user")==0)
				{
					string strid((dbResult[index]));
					memset(logon_username,0,256);
					strcpy(logon_username,strid.c_str());
				}
				if(strcasecmp(strfilename.c_str(),"logon_ip")==0)
				{
					string strid((dbResult[index]));
					memset(logon_ip,0,64);
					strcpy(logon_ip,strid.c_str());
				}
				if(strcasecmp(strfilename.c_str(),"logon_date")==0)
				{
					string strid((dbResult[index]));
					memset(begin_time,0,32);
					strcpy(begin_time,strid.c_str());
					char temp[36];
					strcpy(temp,begin_time);
				}
				index++;
			}
			char GetEndTimesql[256];
			memset(GetEndTimesql,0,256);
			sprintf(GetEndTimesql,"SELECT logon_date from linux_logon_log_bysecure where prc_id ='%s' and logon_ip ='%s'and logon_rs ='closed'",prc_id,logon_ip);
			ret1 = sqlite3_get_table(db, GetEndTimesql, &dbResult1, &nRow1,&nColumn1, &errMsg1);
			memset(end_time,0,32);
			if(ret1== SQLITE_OK)
			{
				index1 = nColumn1;

				for (int k = 0; k < nRow1; k++)
				{
					string strdate(dbResult1[index1]);
					
					strcpy(end_time,strdate.c_str());
					index1++;
				}
				sqlite3_free_table(dbResult1);
			}
			
			char struuid[36];
			memset(struuid,0,36);
			uuid_t uuid;
			uuid_generate(uuid);
			uuid_unparse(uuid, struuid);
			string suuid(struuid);
			suuid.erase(remove(suuid.begin(), suuid.end(), '-'));
			memset(struuid, 0, sizeof(struuid));
			strncpy(struuid, suuid.c_str(), 32);
			char strInsertSql[512];
			memset(strInsertSql,0,512);
			sprintf(strInsertSql,"insert into logo_suc_log("
				"id,"
				"logon_name,"
				"prc_id,"
				"logon_ip,"
				"begin_time,"
				"end_time) values('%s','%s','%s','%s','%s','%s')",
				struuid,
				logon_username,
				prc_id,
				logon_ip,
				begin_time,
				end_time);
						
				char *errMsg7;
				int ret7 = sqlite3_exec(db, strInsertSql, NULL, NULL, &errMsg7);
				if(ret7 != SQLITE_OK)
				{
					cout<<"insert into logo_suc_log"<<errMsg7<<endl;
					sqlite3_free(errMsg7);
				}
		}
		sqlite3_free_table(dbResult);
	}
}
void Insertevent_association_analysis(EVENT_ASSOCIATION_ANALYSIS &eventstruct,sqlite3 *db,char * Mac, char *eventId)
{
	char struuid[36] = {0};
	uuid_t uuid;
	uuid_generate(uuid);
	uuid_unparse(uuid, struuid);
	string suuid(struuid);
	suuid.erase(remove(suuid.begin(), suuid.end(), '-'));
	memset(struuid, 0, sizeof(struuid));
	strncpy(struuid, suuid.c_str(), 32);
	char strAttackSql[4096];
	memset(strAttackSql,0,4096);
		sprintf(strAttackSql,"insert into  event_association_analysis("
			"id,"
			"host_ip,"
			"attack_ip,"
			"attack_name,"
			"attack_time_begin,"
			"attack_time_end,"
			"task_name,"
			"file_md5,"
			"tool_name,"
			"login_name,"
			"suspicious_username,"
			"operant_hehavior,"
			"process_id,"
			"process_name,"
			"file_name,"
			"virus_type,"
			"port_connected_status,"
			"port,"
			"mac_address,"
			"event_task_id) values('%s','%s','%s','%s','%s','%s', '%s','%s','%s','%s','%s','%s','%s','%s','%s','%s', '%s','%s','%s','%s')",
			struuid,
			eventstruct.host_ip,
			eventstruct.attack_ip,
			eventstruct.attack_name,
			eventstruct.attack_time_begin,
			eventstruct.attack_time_end,
			eventstruct.task_name,
			eventstruct.file_md5,
			eventstruct.tool_name,
			eventstruct.login_name,
			eventstruct.suspicious_username,
			eventstruct.operant_hehavior,
			eventstruct.process_id,
			eventstruct.process_name,
			eventstruct.file_name,
			eventstruct.port_connected_status,
			eventstruct.port,
			eventstruct.virus_type,
			Mac,
			eventId);
	
	
	char * errMsg = NULL;
	int ret = sqlite3_exec(db, strAttackSql, NULL, NULL, &errMsg);
	if(errMsg != NULL)
	{
		

		cout<<"sqlite3_exec1 event_association_analysis"<<errMsg<<endl;
		sqlite3_free(errMsg);
	}
	
}
void InsertAttackIpData(ATTACKIPANALYSIS &attackIPstruct,sqlite3 *db,char * Mac, char *eventId)
{
	char struuid[36] = {0};
	uuid_t uuid;
	uuid_generate(uuid);
	uuid_unparse(uuid, struuid);
	string suuid(struuid);
	suuid.erase(remove(suuid.begin(), suuid.end(), '-'));
	memset(struuid, 0, sizeof(struuid));
	strncpy(struuid, suuid.c_str(), 32);


	char strInsertSql[1024];
	memset(strInsertSql,0,1024);
	sprintf(strInsertSql,"insert into attack_ip_analysis("
			"id,"
			"host_ip,"
			"attack_ip,"
			"attack_event_name,"
			"attack_begin_time,"
			"attack_end_time,"
			"mac_address,"
			"event_task_id) values('%s','%s','%s','%s','%s','%s','%s','%s')",
			struuid,
			attackIPstruct.host_ip,
			attackIPstruct.attack_ip,
			attackIPstruct.attack_event_name,
			attackIPstruct.attack_begin_time,
			attackIPstruct.attack_end_time,
			Mac,
			eventId);
	
	
	
	char * errMsg = NULL;
	int ret = sqlite3_exec(db, strInsertSql, NULL, NULL, &errMsg);
cout<<strInsertSql<<endl;
	if(errMsg != NULL)
	{
		
		cout<<"sqlite3_exec1 attack_ip_analysis"<<endl;
		sqlite3_free(errMsg);
	}

}
void GetPassword_violence_crack(sqlite3 *db, char * Mac, char *eventId)
{
	if(db == NULL)
		return ;
		int ret,ret1;
	char ** dbResult = NULL;
	

	char * errMsg = NULL;
	char ** dbResult1 = NULL;
	char ** dbResult2 = NULL;
	char ** dbResult3 = NULL;
	char ** dbResult4 = NULL;
	char ** dbResult5 = NULL;
	char ** dbResult6 = NULL;
	char ** dbResult7 = NULL;
	bool bIssucces=false;
	bool bIsFail=false;
	int nRow, nRow1,nRow2,nRow3,nRow4,nRow5,nRow6,nRow7;
	int nColumn, nColumn1,nColumn2,nColumn3,nColumn4,nColumn5,nColumn6,nColumn7;
	int index, index1,index2,index3,index4,index5,index6,index7;
	
	char * errMsg1 = NULL;
	
	BLASTLISTS BlastList;

	char strdate[256];
	char strLogon_ip[256];
	char strLogon_usrname[256];
	char strIPsql[256];
	char cField[256];
	
	char struuid[36] = {0};
	
	//获取登录成功日志的日期，根据日期获取登录失败的日志，如果存在>5条的日志则认为是暴力爆破而且已成功
	memset(strIPsql,0,256);
	strcpy(strIPsql,"SELECT distinct logon_user FROM linux_logon_log_bysecure");
	//cout<<"strIPsql"<<strIPsql<<endl;
	
	ret = sqlite3_get_table(db, strIPsql, &dbResult, &nRow,&nColumn, &errMsg);
	if(ret == SQLITE_OK)
	{
		index = nColumn;
		
		for (int i =0;i<nRow;i++)
		{
			
			memset(strLogon_usrname,0,256);
			strcpy(strLogon_usrname,dbResult[index]);
//cout<<strLogon_usrname<<endl;

			memset(strIPsql,0,256);
			sprintf(strIPsql,"SELECT DISTINCT logon_ip from linux_logon_log_bysecure where logon_user='%s'",strLogon_usrname);	
			//cout<<"strIPsql"<<strIPsql<<endl;
			ret1 = sqlite3_get_table(db, strIPsql, &dbResult1, &nRow1,&nColumn1, &errMsg1);
			if(ret1==SQLITE_OK)
			{
				index1=nColumn1;
				for(int i1=0;i1<nRow1;i1++)
				{
					memset(strLogon_ip,0,256);
					strcpy(strLogon_ip,dbResult1[index1]);
					//cout<<"strLogon_usrname"<<strLogon_usrname<<endl;
					if(strcasecmp(strLogon_ip,"localhost")==0||strcasecmp(strLogon_ip,"-")==0||strcasecmp(strLogon_ip,"")==0)
					{
						index1++;
						continue;
					}
					char logoDate[256];
					memset(logoDate,0,256);
					sprintf(logoDate,"SELECT DISTINCT logon_date from linux_logon_log_bysecure where logon_user='%s' and logon_ip ='%s'",strLogon_usrname,strLogon_ip);
					//cout<<"logoDate"<<logoDate<<endl;
					int ret2=sqlite3_get_table(db, logoDate, &dbResult2, &nRow2,&nColumn2, &errMsg1);
					if(ret2==SQLITE_OK)
					{
						index2=nColumn2;
						for(int i2=0;i2<nRow2;i2++)
						{
							strcpy(strdate,dbResult2[index2]);
//cout<<strdate<<endl;
							char logoFailSql[256];
							memset(logoFailSql,0,256);
							sprintf(logoFailSql,"SELECT count (*)from linux_logon_log_bysecure where logon_user='%s' and logon_ip ='%s'and logon_date='%s'  and logon_rs='fail'",strLogon_usrname,strLogon_ip,strdate);
						//	cout<<"logoFailSql"<<logoFailSql<<endl;
							int ret3=sqlite3_get_table(db, logoFailSql, &dbResult3, &nRow3,&nColumn3, &errMsg1);
							if(ret3==SQLITE_OK)
							{
								index3=nColumn3;
								for(int i3=0;i3<nRow3;i3++)
								{
									int count ;
									count= atoi(dbResult3[index3]);
									if(count>=2)
									{
										bIsFail=true;
										char logonSuccessSql[256];
										memset(logonSuccessSql,0,256);
										sprintf(logonSuccessSql,"SELECT count (*)from linux_logon_log_bysecure where logon_user='%s' and logon_ip ='%s'and logon_date='%s' and logon_rs='success'",strLogon_usrname,strLogon_ip,strdate);
									//	cout<<"logonSuccessSql"<<logonSuccessSql<<endl;
										int ret4=sqlite3_get_table(db, logonSuccessSql, &dbResult4, &nRow4,&nColumn4, &errMsg1);
										if(ret4==SQLITE_OK)
										{
											index4=nColumn4;
											for(int i4=0;i4<nRow4;i4++)
											{
												int count ;
												count= atoi(dbResult4[index4]);
												bIssucces=false;
												if(count>=1)
												{
													bIssucces=true;
													strcpy(BlastList.strsuccess_flag,"成功");
												//	bIssucces=TRUE;
													sprintf(strIPsql,"SELECT count(*) from linux_logon_log_bysecure where logon_rs='fail' and logon_user='%s'and logon_ip ='%s'",strLogon_usrname,strLogon_ip);

													
													int ret5 = sqlite3_get_table(db, strIPsql, &dbResult5, &nRow5,&nColumn5, &errMsg1);
													if(ret5==SQLITE_OK)
													{
														index5=nColumn5;
														for (int i5=0;i5<nRow5;i5++)
														{
															int count ;
															count= atoi(dbResult5[index5]);
															
															strcpy(BlastList.strLogon_times,dbResult5[index5]);
															//BlastList.strLogon_ip=strIP;
															strcpy(BlastList.strUserName,strLogon_usrname);

														}
													}
													sprintf(strIPsql,"SELECT MAX(logon_date) from linux_logon_log_bysecure where logon_rs='fail' and logon_user='%s'and logon_ip ='%s'",strLogon_usrname,strLogon_ip);
													
													int ret6 = sqlite3_get_table(db, strIPsql, &dbResult6, &nRow6,&nColumn6, &errMsg1);
													char maxtime[256];
													memset(maxtime,0,256);
													char mintime[256];
													memset(mintime,0,256);
													if(ret1==SQLITE_OK)
													{
														index6 = nColumn6;
														for (int i6 = 0; i6 < nRow6; i6++)
														{

															strcpy(maxtime,dbResult6[index6]);
															index6++;
														}
													}
													sprintf(strIPsql,"SELECT MIN(logon_date) from linux_logon_log_bysecure where logon_rs='fail' and logon_user='%s'and logon_ip ='%s'",strLogon_usrname,strLogon_ip);
													
													int ret7 = sqlite3_get_table(db, strIPsql, &dbResult7, &nRow7,&nColumn7, &errMsg1);
													
													if(ret1==SQLITE_OK)
													{
														index7 = nColumn7;
														for (int i7 = 0; i7 < nRow7; i7++)
														{

															strcpy(mintime,dbResult7[index7]);
															index7++;
														}
													}
													uuid_t uuid;
													uuid_generate(uuid);
													uuid_unparse(uuid, struuid);
													string suuid(struuid);
													suuid.erase(remove(suuid.begin(), suuid.end(), '-'));
													memset(struuid, 0, sizeof(struuid));
													strncpy(struuid, suuid.c_str(), 32);
													char strInsertSql[512];
													memset(strInsertSql,0,512);
													sprintf(strInsertSql,"insert into blast_statistical("
														"id,"
														"logon_username,"
														"logon_firsttime,"
														"logon_lasttime,"
														"logon_times,"
														"success_flag,"
														"logon_ip,"
														"mac_address,"
														"event_task_id) values('%s','%s','%s','%s','%s','%s','%s','%s','%s')",
														struuid,
														BlastList.strUserName,
														mintime,
														maxtime,
														BlastList.strLogon_times,
														BlastList.strsuccess_flag,
														strLogon_ip,
														Mac,
														eventId);
													
													char *errMsg7;
													 ret7 = sqlite3_exec(db, strInsertSql, NULL, NULL, &errMsg7);
													if(ret7 != SQLITE_OK)
													{
														cout<<"insert into blast_statistical"<<errMsg7<<endl;
														sqlite3_free(errMsg7);
													}
													char cIp[36];           // 本地ip
												    	memset(cIp, 0, sizeof(cIp));
												    	GetLocalIp(cIp, 36);
													EVENT_ASSOCIATION_ANALYSIS eventstruct;
													memset(eventstruct.process_id,0,256);
													strcpy(eventstruct.attack_name,"03006");
													strcpy(eventstruct.host_ip,cIp);
													strcpy(eventstruct.attack_ip,strLogon_ip);
													strcpy(eventstruct.attack_time_begin,mintime);
													strcpy(eventstruct.attack_time_end,maxtime);
													strcpy(eventstruct.login_name,BlastList.strUserName);
													Insertevent_association_analysis(eventstruct,db,Mac,eventId);
													if(strlen(strLogon_ip)>1)
													{
														ATTACKIPANALYSIS attackIP;
														strcpy(attackIP.attack_begin_time,mintime);
														strcpy(attackIP.attack_end_time,maxtime);
														strcpy(attackIP.attack_ip,strLogon_ip);
														strcpy(attackIP.host_ip,cIp);
														strcpy(attackIP.attack_event_name,"03006");
														InsertAttackIpData(attackIP,db,Mac,eventId);
													}
													//bIssucces=FALSE;
													break;
												}
												index4++;
											}
										}

									}
									if(bIssucces==true)
									{
										break;
									}
									index3++;
								}

						}
						index2++;
						if(bIssucces==true)
						{
							break;
						}
						
					}
					if(bIsFail==true&&bIssucces==false)
					{
						strcpy(BlastList.strsuccess_flag,"失败");
						//bIssucces=TRUE;
						sprintf(strIPsql,"SELECT count(*) from linux_logon_log_bysecure where logon_rs='fail' and logon_user='%s'and logon_ip ='%s'",strLogon_usrname,strLogon_ip);

						
						int ret5 = sqlite3_get_table(db, strIPsql, &dbResult5, &nRow5,&nColumn5, &errMsg1);

						if(ret5==SQLITE_OK)
						{
							index5=nColumn5;
							for (int i5=0;i5<nRow5;i5++)
							{
								int count ;
								count= atoi(dbResult5[index5]);
								
								strcpy(BlastList.strLogon_times,dbResult5[index5]);
								//BlastList.strLogon_ip=strIP;
								strcpy(BlastList.strUserName,strLogon_usrname);

							}
						}
						
						
						sprintf(strIPsql,"SELECT MAX(logon_date) from linux_logon_log_bysecure where logon_rs='fail' and logon_user='%s'and logon_ip ='%s'",strLogon_usrname,strLogon_ip);
													
													int ret6 = sqlite3_get_table(db, strIPsql, &dbResult6, &nRow6,&nColumn6, &errMsg1);
													char maxtime[256];
													memset(maxtime,0,256);
													char mintime[256];
													memset(mintime,0,256);
													if(ret1==SQLITE_OK)
													{
														index6 = nColumn6;
														for (int i6 = 0; i6 < nRow6; i6++)
														{

															strcpy(maxtime,dbResult6[index6]);
															index6++;
														}
													}
													sprintf(strIPsql,"SELECT MIN(logon_date) from linux_logon_log_bysecure where logon_rs='fail' and logon_user='%s'and logon_ip ='%s'",strLogon_usrname,strLogon_ip);
													
													int ret7 = sqlite3_get_table(db, strIPsql, &dbResult7, &nRow7,&nColumn7, &errMsg1);
													
													if(ret1==SQLITE_OK)
													{
														index7 = nColumn7;
														for (int i7 = 0; i7 < nRow7; i7++)
														{

															strcpy(mintime,dbResult7[index7]);
															index7++;
														}
													}
													uuid_t uuid;
													uuid_generate(uuid);
													uuid_unparse(uuid, struuid);
													string suuid(struuid);
													suuid.erase(remove(suuid.begin(), suuid.end(), '-'));
													memset(struuid, 0, sizeof(struuid));
													strncpy(struuid, suuid.c_str(), 32);
													char strInsertSql[512];
													memset(strInsertSql,0,512);
													sprintf(strInsertSql,"insert into blast_statistical("
														"id,"
														"logon_username,"
														"logon_firsttime,"
														"logon_lasttime,"
														"logon_times,"
														"success_flag,"
														"logon_ip,"
														"mac_address,"
														"event_task_id) values('%s','%s','%s','%s','%s','%s','%s','%s','%s')",
														struuid,
														BlastList.strUserName,
														mintime,
														maxtime,
														BlastList.strLogon_times,
														BlastList.strsuccess_flag,
														strLogon_ip,
														Mac,
														eventId);
						
													char *errMsg7;
													ret7 = sqlite3_exec(db, strInsertSql, NULL, NULL, &errMsg7);
													if(ret7 != SQLITE_OK)
													{
														cout<<"insert into blast_statistical"<<errMsg7<<endl;
														sqlite3_free(errMsg7);
													}
													char cIp[36];           // 本地ip
												    	memset(cIp, 0, sizeof(cIp));
												    	GetLocalIp(cIp, 36);
													EVENT_ASSOCIATION_ANALYSIS eventstruct;
													memset(eventstruct.process_id,0,256);
													strcpy(eventstruct.attack_name,"03005");
													strcpy(eventstruct.host_ip,cIp);
													strcpy(eventstruct.attack_ip,strLogon_ip);
													strcpy(eventstruct.attack_time_begin,mintime);
													strcpy(eventstruct.attack_time_end,maxtime);
													strcpy(eventstruct.login_name,BlastList.strUserName);
													Insertevent_association_analysis(eventstruct,db,Mac,eventId);
													if(strlen(strLogon_ip)>1)
													{
														ATTACKIPANALYSIS attackIP;
														strcpy(attackIP.attack_begin_time,mintime);
														strcpy(attackIP.attack_end_time,maxtime);
														strcpy(attackIP.attack_ip,strLogon_ip);
														strcpy(attackIP.host_ip,cIp);
														strcpy(attackIP.attack_event_name,"03005");
														InsertAttackIpData(attackIP,db,Mac,eventId);
													}
													bIsFail =false;


					}
					
				}
index1++;
			}
			
		}
index++;
		}

		}
	
}
void UpdateIP(sqlite3 *db)
{
	if(db == NULL)
		return ;
	char* strsql = new char[256];
	
	
	sprintf(strsql,"SELECT prc_id FROM linux_logon_log_bysecure where logon_type='%s' and logon_rs= '%s'","sshd:session","success");	
	
	
	int ret;
	char ** dbResult = NULL;
	int nRow, nColumn;
	int i, j, index;
	char * errMsg = NULL;
	int ret1;
	char ** dbResult1 = NULL;
	int nRow1, nColumn1;
	int i1, j1, index1;
	char * errMsg1 = NULL;
	
	ret = sqlite3_get_table(db, strsql, &dbResult, &nRow, &nColumn, &errMsg);
	if(ret == SQLITE_OK)
	{
		index = nColumn;
		for (i = 0; i < nRow; i++)
		{
			for (j = 0; j < nColumn; j++)
			{
				
				char * prc_id=(dbResult[index]);
				char * sql=new char[256];
				sprintf(sql,"SELECT logon_ip FROM linux_accepted_bysecure where prc_id='%s'",dbResult[index]);
				//cout<<" prc_id---"<<sql<<endl;
				ret1 = sqlite3_get_table(db, sql, &dbResult1, &nRow1, &nColumn1, &errMsg1);
				if(ret1 == SQLITE_OK)
				{
					index1 = nColumn1;
					for (i1 = 0; i1 < nRow1; i1++)
					{
						for (j1 = 0; j1 < nColumn1; j1++)
						{
							char *ip=dbResult1[index1];
							char * updatesql=new char[256];
							char * errMsgbox = NULL; 
							sprintf(updatesql,"UPDATE  linux_logon_log_bysecure set logon_ip='%s' WHERE prc_id ='%s'",ip,prc_id);
							//cout<<" UPDATE---"<<updatesql<<endl;
							ret = sqlite3_exec(db,updatesql,NULL,NULL,&errMsgbox);
							//cout<<strsql<<endl;
							if (0 != ret) 
							{
								cout<<updatesql<<endl;
							    cout<<"UPDATE  linux_logon_log_bysecure"<<endl;
							    cout<<errMsgbox<<endl;
							}
							if(errMsgbox)
							{
								sqlite3_free(errMsgbox);
							}
							index1++;
						}
					}
					sqlite3_free_table(dbResult1);	// 释放结果
				}
				index++;
			}
		}
		sqlite3_free_table(dbResult);	// 释放结果
	}
	
	if(errMsg)
	{
		sqlite3_free(errMsg);
	}
	delete []strsql;
	strsql = NULL;
	       

}
void UpdateSUuser(sqlite3 *db)
{
	if(db == NULL)
		return ;
	char* strsql = new char[256];
	
	
	sprintf(strsql,"SELECT prc_id FROM linux_logon_log_bysecure where logon_type='%s' and logon_rs= '%s'","su:session","success");	
	
	
	int ret;
	char ** dbResult = NULL;
	int nRow, nColumn;
	int i, j, index;
	char * errMsg = NULL;
	int ret1;
	char ** dbResult1 = NULL;
	int nRow1, nColumn1;
	int i1, j1, index1;
	char * errMsg1 = NULL;
	
	ret = sqlite3_get_table(db, strsql, &dbResult, &nRow, &nColumn, &errMsg);
	if(ret == SQLITE_OK)
	{
		index = nColumn;
		for (i = 0; i < nRow; i++)
		{
			for (j = 0; j < nColumn; j++)
			{
				
				char * prc_id=(dbResult[index]);
				char * sql=new char[256];
				sprintf(sql,"SELECT logo_name FROM successful_byauthlog where prc_id='%s'",dbResult[index]);
				//cout<<" prc_id---"<<sql<<endl;
				ret1 = sqlite3_get_table(db, sql, &dbResult1, &nRow1, &nColumn1, &errMsg1);
				if(ret1 == SQLITE_OK)
				{
					index1 = nColumn1;
					for (i1 = 0; i1 < nRow1; i1++)
					{
						for (j1 = 0; j1 < nColumn1; j1++)
						{
							char *user=dbResult1[index1];
							char * updatesql=new char[256];
							char * errMsgbox = NULL; 
							sprintf(updatesql,"UPDATE  linux_logon_log_bysecure set logname='%s' WHERE prc_id ='%s'",user,prc_id);
							//cout<<" UPDATE---"<<updatesql<<endl;
							ret = sqlite3_exec(db,updatesql,NULL,NULL,&errMsgbox);
							//cout<<strsql<<endl;
							if (0 != ret) 
							{
								cout<<updatesql<<endl;
							    cout<<"UPDATE  linux_logon_log_bysecure"<<endl;
							    cout<<errMsgbox<<endl;
							}
							if(errMsgbox)
							{
								sqlite3_free(errMsgbox);
							}
							index1++;
						}
					}
					sqlite3_free_table(dbResult1);	// 释放结果
				}
				index++;
			}
		}
		sqlite3_free_table(dbResult);	// 释放结果
	}
	
	if(errMsg)
	{
		sqlite3_free(errMsg);
	}
	delete []strsql;
	strsql = NULL;
	       

}

void GetDest(char * des,char* sub,char *user_name)
{
	char *username;
	username=strstr(des,sub);
	char user[256];
	memset(user,0,256);
	if(username)
	{
		strcpy(des,username);
		username=strchr(des,',')+1;
		memcpy(user_name,des,strlen(des)-strlen(username));
		char *p=strchr(user_name,'=')+1;
		strcpy(user_name,p);
		memcpy(user,user_name,strlen(user_name)-1);
		strcpy(user_name,user);
		strcpy(des,username);
	}

}
void GetInstallLog(sqlite3 *db, char * Mac, char *eventId)
{
	system("sudo find /var/log/apt -name 'history.log*'>dir");
	char *fileName = "./dir";
	FILE *fp = NULL;
	fp = fopen(fileName, "r");
	if(fp == NULL)
	{
		perror("open file failed");
		return;
	}
	char buf[1024];

	while(fgets(buf, 1024-1, fp) != NULL)
	{
		
		buf[strlen(buf)-1]='\0';
		cout<<buf<<endl;
		if(strlen(buf)==1)
		{
			break;
		}
		char * strgz;
		strgz=strstr(buf,".gz");

		if(strgz)
		{
		  char strgunzip[256];
		  memset(strgunzip,0,256);
		  sprintf(strgunzip,"sudo gunzip -c %s >test",buf);
		  system(strgunzip);
                  strcpy(buf,"test");
		}
		FILE *fp1=NULL;
		fp1 = fopen(buf, "r");
		//fp1 = fopen("var/log/auth.log.4", "r");
		if(fp1 == NULL)
		{
			perror("open file failed");
			cout<<"open file failed"<<endl;
			return;
		}

		char buf1[1024];
		memset(buf1, 0, sizeof(buf1));
		char * p1;
		char *p;
	
		char date[256];
		memset(date,0,256);
		char command[4000];
		memset(command,0,4000);
		char endDate[256];
		memset(endDate,0,256);
		char *err_msg = NULL;
		int count=0;		
		while(fgets(buf1, 1024-1, fp1) != NULL)
		{

			
			buf1[strlen(buf1)-1]='\0';
			
			if(strlen(buf1)>1)
			{	
				
				buf1[strlen(buf1)-1]='\0';
				if(strstr(buf1,"Start-Date:"))
				{
					p=strchr(buf1,':')+1;
					strcpy(date,p);
					cout<<date<<endl;
					count++;

				}
				if(strstr(buf1,"Commandline:"))
				{
					p=strchr(buf1,':')+1;
					strcpy(command,p);
					cout<<command<<endl;
					count++;

				}
				if(strstr(buf1,"End-Date:"))
				{
					p=strchr(buf1,':')+1;
					strcpy(endDate,p);
					cout<<endDate<<endl;
					count++;
				}
			
			}
			if(count==3)
			{
				char struuid[36] = {0};
				uuid_t uuid;
				uuid_generate(uuid);
				uuid_unparse(uuid, struuid);
				string suuid(struuid);
				suuid.erase(remove(suuid.begin(), suuid.end(), '-'));
				memset(struuid, 0, sizeof(struuid));
				strncpy(struuid, suuid.c_str(), 32);
				char* strsql1 = new char[4096];
				memset(strsql1,0,4096);
				sprintf(strsql1,"insert into linux_install_info("
					"id,"
					"type,"
					"start_date,"
					"command,"
					"end_date,"
					"abnormal_flag,"
					"mac_address,"
					"event_task_id) values('%s','%s','%s','%s','%s','%s','%s','%s')",
					struuid,
					"install",
					date,
					command,
					endDate,
					"0",
					Mac,
					eventId );
			       

				int ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
					cout<<"linux_install_info----"<<strsql1<<endl;
				if (0 != ret) 
				{
					//cout<<strsql1<<endl;
					   // cout<<"linux_user_command err"<<endl;
					 cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;
				count=0;
			}
	
		}
		
		fclose(fp1);
		if(strstr(buf,"test"))
		{
		 system("rm ./test");
		}
	}

	fclose(fp);
	system("rm ./dir");
}
void Getsecure(sqlite3 *db, char * Mac, char *eventId)
{
	system("sudo hostname >hostname.txt");
	char *hostfile="./hostname.txt";
	FILE *f=NULL;
	f = fopen(hostfile,"r");
	char hostname[256];
	memset(hostname,0,256);
	while(fgets(hostname,256-1,f)!=NULL)
	{
		hostname[strlen(hostname)-1]='\0';
	}
	fclose(f);
	cout<<"hostname="<<hostname<<endl;
	system("rm ./hostname.txt");
	system("sudo find /var/log -name 'auth.log*'>dir");
	char *fileName = "./dir";
	FILE *fp = NULL;
	fp = fopen(fileName, "r");
	if(fp == NULL)
	{
		perror("open file failed");
		return;
	}
	char buf[1024];
	char sqldec[1024];
	memset(sqldec,0,1024);
	memset(buf, 0, sizeof(buf));
	time_t timep;
	struct tm *p;
	time(&timep);
	p = gmtime(&timep);
	char years[20];
	memset(years,0,20);
	sprintf(years,"%d",1900+p->tm_year);
	cout<<years<<endl;
	while(fgets(buf, 1024-1, fp) != NULL)
	{
		
		buf[strlen(buf)-1]='\0';

		if(strlen(buf)==1)
		{
			break;
		}
		char * strgz;
		strgz=strstr(buf,".gz");

		if(strgz)
		{
		  char strgunzip[256];
		  memset(strgunzip,0,256);
		  sprintf(strgunzip,"sudo gunzip -c %s >test",buf);
		  system(strgunzip);
                  strcpy(buf,"test");
		}
		cout<<buf<<endl;
		char *err_msg;
	    	int ret;
		
		
		
		char datebuf[128];
		memset(datebuf,0,128);
		strcpy(datebuf,buf);

		char filedate[5];
		if(strlen(datebuf)>20)
		{
			char *d;
			d=strchr(datebuf,'-')+1;
			if(d)
			{
				strcpy(datebuf,d);
				//cout<<datebuf<<endl;
				
				memset(filedate,0,5);
				memcpy(filedate,datebuf,4);
				
			}
		}
		cout<<"datebuf"<<datebuf<<endl;
		FILE *fp1=NULL;
		fp1 = fopen(buf, "r");
		//fp1 = fopen("var/log/auth.log.4", "r");
		if(fp1 == NULL)
		{
			perror("open file failed");
			cout<<"open file failed"<<endl;
			return;
		}

		char buf1[1024];
		memset(buf1, 0, sizeof(buf1));
		char * p1;
		char *p;
	//	p = new char[1024];
	//	memset(p,0,1024);
		
		char date[256];
		memset(date,0,256);
		char date1[256];
		memset(date1,0,256);
		char des[1024];
		memset(des,0,1024);
		char tempbuf[1024];
		memset(tempbuf,0,1024);

		while(fgets(buf1, 1024-1, fp1) != NULL)
		{

			//cout<<buf1<<endl;
			buf1[strlen(buf1)-1]='\0';

			//cout<<buf1<<endl;
			char struuid[36] = {0};
			uuid_t uuid;
			uuid_generate(uuid);
			uuid_unparse(uuid, struuid);
			string suuid(struuid);
			suuid.erase(remove(suuid.begin(), suuid.end(), '-'));
			memset(struuid, 0, sizeof(struuid));
			strncpy(struuid, suuid.c_str(), 32);
			
			p=strstr(buf1,hostname);
		
			memcpy(date,buf1,strlen(buf1)-strlen(p)-1);
			char des1[1024];
			char des2[1024];

			memcpy(date,buf1,strlen(buf1)-strlen(p));
				char *d;
			d=strchr(date,' ')+1;
			char mouths[20];
			char days[20];
			char hours[20];
			memset(hours,0,20);
			memset(mouths,0,20);
			memset(days,0,20);
			memcpy(mouths,date,strlen(date)-strlen(d)-1);
			strcpy(date,d);
		
			if(strcasecmp(mouths,"Jan")==0)
			{
				strcpy(mouths,"1");
			}
			else if(strcasecmp(mouths,"Feb")==0)
			{
				strcpy(mouths,"2");
			}
			else if(strcasecmp(mouths,"Mar")==0)
			{
				strcpy(mouths,"3");
			}
			else if(strcasecmp(mouths,"Apr")==0)
			{
				strcpy(mouths,"4");
			}
			else if(strcasecmp(mouths,"May")==0)
			{
				strcpy(mouths,"5");
			}
			else if(strcasecmp(mouths,"Jun")==0)
			{
				strcpy(mouths,"6");
			}
			else if(strcasecmp(mouths,"Jul")==0)
			{
				strcpy(mouths,"7");
			}
			else if(strcasecmp(mouths,"Aug")==0)
			{
				strcpy(mouths,"8");
			}
			else if(strcasecmp(mouths,"Sep")==0)
			{
				strcpy(mouths,"9");
			}
			else if(strcasecmp(mouths,"Oct")==0)
			{
				strcpy(mouths,"10");
			}
			else if(strcasecmp(mouths,"Nov")==0)
			{
				strcpy(mouths,"11");
			}
			else if (strcasecmp(mouths,"Dec")==0)
			{
				strcpy(mouths,"12");
			}
			d=strchr(date,' ')+1;
			memcpy(days,date,strlen(date)-strlen(d)-1);
			strcpy(hours,d);
			memset(date1,0,256);
			if(strlen(filedate)<4)
			{
				strcpy(date1,years);
			}
			else
			{
				//cout<<filedate<<endl;
				strcpy(date1,filedate);
			}
			strcat(date1,"-");
			strcat(date1,mouths);
			strcat(date1,"-");
			strcat (date1,days);
			strcat(date1," ");
			strcat(date1,hours);
			//cout<<date1<<endl;
			strcpy(des,p);
			
			p=strstr(des,"unlocked 'login' keyring");
			if(p)
			{
				continue;
			}
			p=strchr(des,'\'');

			
			memset(des2,0,1024);

			if(p)
			{


				p=strchr(des,'\'')+1;

				memcpy(des1,des,strlen(des)-strlen(p)-1);
				strcpy(des2,des1);

				strcpy(des,p);
				while(p=strchr(des,'\'')+1)
				{
					char *p2=strchr(des,'\'');
					if(!p2)
					{
						strcat(des2,des);
						strcpy(sqldec,des2);
						break;
					}

					memset(des1,0,1024);
					memcpy(des1,des,strlen(des)-strlen(p)-1);
					strcat(des2,des1);

					strcpy(des,p);
					if(strlen(des)==1)
					{
						strcat(des2,des);
						strcpy(sqldec,des2);
						break;
					}
				}
				strcpy(sqldec,des2);
				strcpy(des,des2);

			}
			else
			{
				strcpy(sqldec,des);
			}
			
 			
		
			//把内容输入到sqlite3数据库中
			char* strsql = new char[4096];
		
			sprintf(strsql,"insert into linux_secure_log("
			"id,"
			"date,"
			"describe,"
			"mac_address,"
			"event_task_id) values('%s','%s','%s','%s','%s')",
			struuid,
			date1,
			sqldec,
			Mac,
			eventId );
	       

			ret = sqlite3_exec(db,strsql,NULL,NULL,&err_msg);
			//cout<<strsql<<endl;
			if (0 != ret) 
			{
			cout<<strsql<<endl;
			    cout<<"linux_secure_log err"<<endl;
			    cout<<err_msg<<endl;
			}
			delete []strsql;
			strsql = NULL;
				char *add,*del,*change;
	add=strstr(des,"useradd");
	del=strstr(des,"userdel");
	change=strstr(des,"password changed for");
	cout<<des<<endl;
	if(add)
	{
		char * adduser;
		char user_name[256];
		char user_uid[256];
		char user_gid[256];
		char user_home[256];
		adduser=strstr(des,"new user:");
		if(adduser)
		{
			strcpy(des,adduser);
			memset(user_name,0,256);
			memset(user_uid,0,256);
			memset(user_gid,0,256);
			memset(user_home,0,256);
			GetDest(des,"name=",user_name);
			GetDest(des,"UID=",user_uid);
			GetDest(des,"GID=",user_gid);
			GetDest(des,"home=",user_home);
			char* strsql1 = new char[4096];
				sprintf(strsql1,"insert into linux_user_operate_log("
				"id,"
				"date,"
				"username,"
				"uid,"
				"gid,"
				"user_home,"
				"operate_type,"
				"abnormal_flag,"
				"mac_address,"
				"event_task_id) values('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",
				struuid,
				date1,
				user_name,
				user_uid,
				user_gid,
				user_home,
				"添加用户",
				"1",
				Mac,
				eventId );
		       
				
				ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
				cout<<"linux_user_operate_log for add user"<<strsql1<<endl;
				if (0 != ret) 
				{
				cout<<strsql<<endl;
				    cout<<"linux_user_operate_log err"<<endl;
				    cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;
		}
		
	}
	if(del)
	{
		char * deluser;
		char user_name[256];
		deluser=strstr(des,"delete user");
		if(deluser)
		{
			strcpy(des,deluser);
			char *p = strchr(des,' ')+1;
			memcpy(user_name,des,strlen(des)-strlen(p));
			strcpy(des,p);
			 p=strchr(des,' ')+1;
			strcpy(user_name,p);
			char* strsql1 = new char[4096];
				sprintf(strsql1,"insert into linux_user_operate_log("
				"id,"
				"date,"
				"username,"
				"operate_type,"
				"abnormal_flag,"
				"mac_address,"
				"event_task_id) values('%s','%s','%s','%s','%s','%s','%s')",
				struuid,
				date1,
				user_name,
				"删除用户",
				"1",
				Mac,
				eventId );
		       
				
				ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
				cout<<"linux_user_operate_log for del user"<<strsql1<<endl;
				if (0 != ret) 
				{
				cout<<strsql<<endl;
				    cout<<"linux_user_operate_log err"<<endl;
				    cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;

		}
	}
	if(change)
	{
		char * changed;
		char user_name[256];
		changed=strstr(des,"password changed");
		if(changed)
		{
			strcpy(des,changed);
			char *p = strchr(des,' ')+1;
			memcpy(user_name,des,strlen(des)-strlen(p));
			strcpy(des,p);
			p=strchr(des,' ')+1;
			strcpy(des,p);
			p=strchr(des,' ')+1;
			strcpy(user_name,p);
			char* strsql1 = new char[4096];
				sprintf(strsql1,"insert into linux_user_operate_log("
				"id,"
				"date,"
				"username,"
				"operate_type,"
				"abnormal_flag,"
				"mac_address,"
				"event_task_id) values('%s','%s','%s','%s','%s','%s','%s')",
				struuid,
				date1,
				user_name,
				"修改密码",
				"1",
				Mac,
				eventId );
		       
				
				ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
				cout<<"linux_user_operate_log for changed passwd"<<strsql1<<endl;
				if (0 != ret) 
				{
				cout<<strsql<<endl;
				    cout<<"linux_user_operate_log err"<<endl;
				    cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;
			
		}
	}
			char * temp;
			temp=strstr(des,"[COMMAND=");
			
			if(temp)
			{
				continue;
			}
			char *comd;
			char *user;
			char *pwd;
			LOGONINFO logoninfo;
//cout<<des<<endl;
			comd=strstr(des,"COMMAND=");
			
			user=strstr(des,"USER=");
//cout<<user<<endl;
			pwd =strstr(des,"PWD=");
//cout<<pwd<<endl;
			char commd[256];
			char users[256];
			char pwds[256];
			memset(commd,0,256);
			memset(users,0,256);
			memset(pwds,0,256);
			if(comd)
			{
			cout<<des<<endl;
			strcpy(commd,comd);
			p = strchr(commd,'=')+1;
			strcpy(commd,p);
			}
			if(user)
			{
			char username[256];
			memset(username,0,256);
			strcpy(users,user);
			if(comd)
			{
				comd=strstr(users,"COMMAND=")-1;

				memcpy(username,users,strlen(users)-strlen(comd)-2);
				p=strchr(username,'=')+1;
				memset(users,0,256);
				if(p)
				{
					strcpy(users,p);
				}
			}
			else
			{
				p=strchr(users,'=')+1;
				
				if(p)
				{
					strcpy(username,p);
					memset(users,0,256);
					p=strchr(username,' ');
					if(p)
					{
						memcpy(users,username,strlen(username)-strlen(p));
						strcpy(username,users);
					}
				}
			}
			
		}
		if(pwd)
		{
			char path[256];
			memset(path,0,256);
			strcpy(pwds,pwd);
			if(user)
			{
				user=strstr(pwds,"USER=")-1;
				memcpy(path,pwds,strlen(pwds)-strlen(user)-2);
				p=strchr(path,'=')+1;
				memset(pwds,0,256);
				strcpy(pwds,p);
			}
			else
			{
				p=strchr(pwds,'=')+1;
				
				strcpy(path,p);
				memset(pwds,0,256);
				strcpy(pwds,path);
			}
		
		}
		
			if(strlen(pwds)>=1&&strlen(users)>1&&strlen(commd)>1)
			{
				char* strsql1 = new char[4096];
				sprintf(strsql1,"insert into linux_user_command("
				"id,"
				"path,"
				"command,"
				"username,"
				"date,"
				"abnormal_flag,"
				"mac_address,"
				"event_task_id) values('%s','%s','%s','%s','%s','%s','%s','%s')",
				struuid,
				pwds,
				commd,
				users,
				date1,
				"0",
				Mac,
				eventId );
		       
				//cout<<"comd="<<commd<<"user="<<users<<"pwd="<<pwds<<endl;
				ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
				//cout<<"linux_user_command"<<strsql1<<endl;
				if (0 != ret) 
				{
				cout<<strsql<<endl;
				    cout<<"linux_user_command err"<<endl;
				    cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;
			}
		
			char *localhost,*open,*close;
			localhost=strstr(des,"authentication failure;");
			
			//cout<<des<<endl;
			
			open = strstr(des,"session opened");
			close=strstr(des,"session closed");
char *success;
	success=strstr(des,"Successful");
	if(success)
	{
		char *logname;
		char *ip;
		char *prc_id;
		char logon_type[50];
		char temp[256];
		memset(temp,0,256);
		LOGONINFO logoninfo;
		memset(logoninfo.date,0,256);
		memset(logoninfo.logon_type,0,256);
		memset(logoninfo.logon_rs,0,256);
		memset(logoninfo.logon_ip,0,256);
		memset(logoninfo.user,0,256);
		memset(logoninfo.pr_id,0,32);
		memset(logoninfo.logname,0,256);
		strcpy(logoninfo.date,date);
		strcpy(logoninfo.logon_rs,"success");
		char * templocal;
		templocal=strchr(des,' ')+1;
		strcpy(temp,templocal);
		templocal=strchr(temp,':');
		strcpy(des,templocal);
		memset(logon_type,0,50);
		memcpy(logon_type,temp,strlen(temp)-strlen(des));
		prc_id=strchr(logon_type,'[');
		if(prc_id)
		{
			char t[256];
			char prc[32];
			memset(prc,0,32);
			memset(t,0,256);
			memcpy(t,logon_type,strlen(logon_type)-strlen(prc_id));
			//strcpy(temp,prc_id);
			strcpy(logoninfo.logon_type,t);
			memset(t,0,256);
			strcpy(t,prc_id);

			prc_id=strchr(t,']');
			//memset(t,0,256);
			memcpy(prc,t,strlen(t)-strlen(prc_id));
			prc_id=strchr(prc,'[')+1;
			strcpy(t,prc_id);
			strcpy(logoninfo.pr_id,t);

		}
		char *for1;
		for1=strstr(des,"for");
		strcpy(des,for1);

		if(for1)
		{
			for1=strchr(des,' ')+1;
			strcpy(des,for1);
		}
		if(for1)
		{
			char username[256];
			for1=strchr(des,' ')+1;
			memset(username,0,256);
			memcpy(username,des,strlen(des)-strlen(for1)-1);
			strcpy(logoninfo.user,username);
			strcpy(des,for1);
			for1=strchr(des,' ')+1;
			strcpy(username,for1);
			strcpy(logoninfo.logname,username);
		}
		char* strsql1 = new char[4096];
				memset(strsql1,0,4096);
				sprintf(strsql1,"insert into successful_byauthlog("
				"id,"
				"date,"
				"user_name,"
				"logo_name,"
				"prc_id) values('%s','%s','%s','%s','%s')",
				struuid,	
				date1,
				logoninfo.user,
				logoninfo.logname,
				logoninfo.pr_id);
		       
				ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
				cout<<"success----"<<strsql1<<endl;
				if (0 != ret) 
				{
				//cout<<strsql1<<endl;
				   // cout<<"linux_user_command err"<<endl;
				    cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;

	}
			if(close)
			{
				//cout<<des<<endl;
				char destemp[256];
				memset(destemp,0,256);
				strcpy(destemp,des);
				char *logname;
				char *ip;
				char *prc_id;
				char logon_type[50];
				char temp[256];
				memset(temp,0,256);
				memset(logoninfo.date,0,256);
				memset(logoninfo.logon_type,0,256);
				memset(logoninfo.logon_rs,0,256);
				memset(logoninfo.logon_ip,0,256);
				memset(logoninfo.user,0,256);
				memset(logoninfo.pr_id,0,32);
				memset(logoninfo.logname,0,256);
				strcpy(logoninfo.date,date);
				strcpy(logoninfo.logon_rs,"closed");
				char * templocal;
				templocal=strchr(des,' ')+1;
				strcpy(temp,templocal);
				templocal=strchr(temp,':');
				strcpy(des,templocal);
				memset(logon_type,0,50);
				memcpy(logon_type,temp,strlen(temp)-strlen(des));
				prc_id=strchr(logon_type,'[');
				if(prc_id)
				{
					char t[256];
					char prc[32];
					memset(prc,0,32);
					memset(t,0,256);
					
					strcpy(t,prc_id);

					prc_id=strchr(t,']');
					//memset(t,0,256);
					memcpy(prc,t,strlen(t)-strlen(prc_id));
					prc_id=strchr(prc,'[')+1;
					strcpy(t,prc_id);
					strcpy(logoninfo.pr_id,t);

				}
				char *type=strstr(des,"pam_unix(");
				if(type)
				{
					strcpy(des,type);
					type=strchr(des,')');

					memcpy(logon_type,des,strlen(des)-strlen(type));
					type=strrchr(logon_type,'(')+1;
					strcpy(logoninfo.logon_type,type);
				}

				//memset(des,0,256);
				char dest[256];
				char username[256];
				strcpy(dest,des);
				char *for1;
				for1=strstr(destemp,"user");
				//cout<<destemp<<endl;
				if(for1)
				{
					strcpy(destemp,for1);
				}
				if(for1)
				{
					for1=strchr(destemp,' ')+1;
				//	cout<<for1<<endl;
					memset(username,0,256);
					memcpy(username,for1,strlen(for1));
					//cout<<username<<endl;
					strcpy(logoninfo.user,username);
				}
				char abnormal[20];
				memset(abnormal,0,20);
				cout<<logoninfo.logon_type<<endl;
				if(strcasecmp(logoninfo.logon_type,"sshd:session")==0||strcasecmp(logoninfo.logon_type,"sshd")==0)
				{
					strcpy(abnormal,"1");
				}
				else
				{
					strcpy(abnormal,"0");
				}
				char* strsql1 = new char[4096];
				memset(strsql1,0,4096);
				sprintf(strsql1,"insert into linux_logon_log_bysecure("
				"id,"
				"logon_type,"
				"prc_id,"
				"logname,"
				"logon_user,"
				"logon_ip,"
				"logon_rs,"
				"logon_date,"
				"abnormal_flag,"
				"mac_address,"
				"event_task_id) values('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",
				struuid,
				logoninfo.logon_type,
				logoninfo.pr_id,
				logoninfo.logname,
				logoninfo.user,
				logoninfo.logon_ip,
				logoninfo.logon_rs,
				date1,
				abnormal,
				Mac,
				eventId );
		       

				ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
				//cout<<"close----"<<strsql1<<endl;
				if (0 != ret) 
				{
				//cout<<strsql1<<endl;
				   // cout<<"linux_user_command err"<<endl;
				    cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;
			}
			char *accept=strstr(des,"accepted password");
			char *Accept=strstr(des,"Accepted password");
			if(Accept)
			{
			
				char user[1024];
				char temp[1024];
				memset(temp,0,1024);
				char *logname;
				char ip[256];;
				char *prc_id;
				char logon_type[50];
				memset(ip,0,256);
				memset(logoninfo.date,0,256);
				memset(logoninfo.logon_type,0,256);
				memset(logoninfo.logon_rs,0,256);
				memset(logoninfo.logon_ip,0,256);
				memset(logoninfo.user,0,256);
				memset(logoninfo.pr_id,0,32);
				memset(logoninfo.logname,0,256);
				strcpy(logoninfo.date,date);
			
				strcpy(temp,Accept);

			
				char *l=strstr(temp,"for");
				strcpy(user,l);
				strcpy(temp,user);
				l = strstr(temp,"from");
				strcpy(user,l);
				strcpy(ip,user);
				memset(user,0,256);
				memcpy(user,temp,strlen(temp)-strlen(l)-1);
				l =strchr(user,' ')+1;
				memset(temp,0,256);
				strcpy(temp,l);
				//cout<<temp<<endl;
				strcpy(logoninfo.user,temp);

				l = strstr(ip,"port");
				memcpy(temp,ip,strlen(ip)-strlen(l)-1);
				//	strcpy(temp,l);
				l=strchr(temp,' ')+1;
				//memset(ip,0,256);
				strcpy(ip,l);
				strcpy(logoninfo.logon_ip,ip);
			
				char * templocal;
				templocal=strchr(des,' ')+1;
				strcpy(temp,templocal);
				templocal=strchr(temp,':');
				strcpy(des,templocal);
				memset(logon_type,0,50);
				memcpy(logon_type,temp,strlen(temp)-strlen(des));
				prc_id=strchr(logon_type,'[');
				if(prc_id)
				{
					char t[256];
					char prc[32];
					memset(prc,0,32);
					memset(t,0,256);
					memcpy(t,logon_type,strlen(logon_type)-strlen(prc_id));
					//strcpy(temp,prc_id);
					strcpy(logoninfo.logon_type,t);
					memset(t,0,256);
					strcpy(t,prc_id);

					prc_id=strchr(t,']');
					//memset(t,0,256);
					memcpy(prc,t,strlen(t)-strlen(prc_id));
					prc_id=strchr(prc,'[')+1;
					strcpy(t,prc_id);
					strcpy(logoninfo.pr_id,t);

				}
				char* strsql1 = new char[4096];
				sprintf(strsql1,"insert into linux_accepted_bysecure("
				"id,"
				"prc_id,"
				"logon_username,"
				"logon_ip,"
				"logon_date,"
				"mac_address,"
				"event_task_id) values('%s','%s','%s','%s','%s','%s','%s')",
				struuid,
				logoninfo.pr_id,
				logoninfo.user,
				logoninfo.logon_ip,
				date1,
				Mac,
				eventId );
		       

				ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
				cout<<"accepted"<<strsql1<<endl;
				if (0 != ret) 
				{
				//cout<<strsql1<<endl;
				   // cout<<"linux_user_command err"<<endl;
				    cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;
			}
			if(accept)
			{
			
				char user[1024];
				char temp[1024];
				memset(temp,0,1024);
				char *logname;
				char ip[256];;
				char *prc_id;
				char logon_type[50];
				memset(ip,0,256);
				memset(logoninfo.date,0,256);
				memset(logoninfo.logon_type,0,256);
				memset(logoninfo.logon_rs,0,256);
				memset(logoninfo.logon_ip,0,256);
				memset(logoninfo.user,0,256);
				memset(logoninfo.pr_id,0,32);
				memset(logoninfo.logname,0,256);
				strcpy(logoninfo.date,date);
			
				strcpy(temp,Accept);

			
				char *l=strstr(temp,"for");
				strcpy(user,l);
				strcpy(temp,user);
				l = strstr(temp,"from");
				strcpy(user,l);
				strcpy(ip,user);
				memset(user,0,256);
				memcpy(user,temp,strlen(temp)-strlen(l)-1);
				l =strchr(user,' ')+1;
				memset(temp,0,256);
				strcpy(temp,l);

				strcpy(logoninfo.user,temp);

				l = strstr(ip,"port");
				memcpy(temp,ip,strlen(ip)-strlen(l)-1);
				//	strcpy(temp,l);
				l=strchr(temp,' ')+1;
				//memset(ip,0,256);
				strcpy(ip,l);
				strcpy(logoninfo.logon_ip,ip);
			
				char * templocal;
				templocal=strchr(des,' ')+1;
				strcpy(temp,templocal);
				templocal=strchr(temp,':');
				strcpy(des,templocal);
				memset(logon_type,0,50);
				memcpy(logon_type,temp,strlen(temp)-strlen(des));
				prc_id=strchr(logon_type,'[');
				if(prc_id)
				{
					char t[256];
					char prc[32];
					memset(prc,0,32);
					memset(t,0,256);
					memcpy(t,logon_type,strlen(logon_type)-strlen(prc_id));
					//strcpy(temp,prc_id);
					strcpy(logoninfo.logon_type,t);
					memset(t,0,256);
					strcpy(t,prc_id);

					prc_id=strchr(t,']');
					//memset(t,0,256);
					memcpy(prc,t,strlen(t)-strlen(prc_id));
					prc_id=strchr(prc,'[')+1;
					strcpy(t,prc_id);
					strcpy(logoninfo.pr_id,t);

				}
				char* strsql1 = new char[4096];
				sprintf(strsql1,"insert into linux_accepted_bysecure("
				"id,"
				"prc_id,"
				"logon_username,"
				"logon_ip,"
				"logon_date,"
				"mac_address,"
				"event_task_id) values('%s','%s','%s','%s','%s','%s','%s')",
				struuid,
				logoninfo.pr_id,
				logoninfo.user,
				logoninfo.logon_ip,
				date1,
				Mac,
				eventId );
		       

				ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
				cout<<"accepted"<<strsql1<<endl;
				if (0 != ret) 
				{
				//cout<<strsql1<<endl;
				   // cout<<"linux_user_command err"<<endl;
				    cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;
			}
			if(open)
			{
				//cout<<open<<endl;
				char *logname;
				char *ip;
				char *prc_id;
				char logon_type[50];
				char temp[256];
				memset(temp,0,256);
				memset(logoninfo.date,0,256);
				memset(logoninfo.logon_type,0,256);
				memset(logoninfo.logon_rs,0,256);
				memset(logoninfo.logon_ip,0,256);
				memset(logoninfo.user,0,256);
				memset(logoninfo.pr_id,0,32);
				memset(logoninfo.logname,0,256);
				strcpy(logoninfo.date,date);
				strcpy(logoninfo.logon_rs,"success");
				char * templocal;
				templocal=strchr(des,' ')+1;
				strcpy(temp,templocal);
				templocal=strchr(temp,':');
				strcpy(des,templocal);
				memset(logon_type,0,50);
				memcpy(logon_type,temp,strlen(temp)-strlen(des));
				prc_id=strchr(logon_type,'[');
				if(prc_id)
				{
					char t[256];
					char prc[32];
					memset(prc,0,32);
					memset(t,0,256);
					memcpy(t,logon_type,strlen(logon_type)-strlen(prc_id));
					//strcpy(temp,prc_id);
					strcpy(logoninfo.logon_type,t);
					memset(t,0,256);
					strcpy(t,prc_id);

					prc_id=strchr(t,']');
					//memset(t,0,256);
					memcpy(prc,t,strlen(t)-strlen(prc_id));
					prc_id=strchr(prc,'[')+1;
					strcpy(t,prc_id);
					strcpy(logoninfo.pr_id,t);

				}
					char *type=strstr(des,"pam_unix(");
				if(type)
				{
					strcpy(des,type);
					type=strchr(des,')');

					memcpy(logon_type,des,strlen(des)-strlen(type));
					type=strrchr(logon_type,'(')+1;
					strcpy(logoninfo.logon_type,type);
				}
				//memset(des,0,256);
				char dest[256];
				char username[256];
				strcpy(dest,des);

				char *for1;
				for1=strstr(dest,"user");
				strcpy(dest,for1);
				
				if(for1)
				{
					for1=strchr(dest,' ')+1;
					strcpy(dest,for1);
				}
				if(for1)
				{
					for1=strchr(dest,' ')+1;
					memset(username,0,256);
					memcpy(username,dest,strlen(dest)-strlen(for1)-1);
					strcpy(logoninfo.user,username);
					//cout<<username<<endl;
				}
				if(strcasecmp(logoninfo.logon_type,"su:session")==0)
				{
					strcpy(dest,for1);
					for1=strchr(dest,' ')+1;
					strcpy(dest,for1);
					memset(username,0,256);
					memcpy(username,dest,strlen(dest)-strlen(for1));
					strcpy(logoninfo.logname,username);
					//cout<<logoninfo.logon_type<<endl;
					//cout<<logoninfo.logname<<endl;
				
				}
				char abnormal[20];
				memset(abnormal,0,20);
				if(strcasecmp(logoninfo.logon_type,"sshd:session")==0||strcasecmp(logoninfo.logon_type,"sshd")==0)
				{
					strcpy(abnormal,"1");
				}
				else
				{
					strcpy(abnormal,"0");
				}
				char* strsql1 = new char[4096];
				sprintf(strsql1,"insert into linux_logon_log_bysecure("
				"id,"
				"logon_type,"
				"prc_id,"
				"logname,"
				"logon_user,"
				"logon_ip,"
				"logon_rs,"
				"logon_date,"
				"abnormal_flag,"
				"mac_address,"
				"event_task_id) values('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",
				struuid,
				logoninfo.logon_type,
				logoninfo.pr_id,
				logoninfo.logname,
				logoninfo.user,
				logoninfo.logon_ip,
				logoninfo.logon_rs,
				date1,
				abnormal,
				Mac,
				eventId );
		       

				ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
				//cout<<"open"<<strsql1<<endl;
				if (0 != ret) 
				{
				//cout<<strsql1<<endl;
				   // cout<<"linux_user_command err"<<endl;
				    cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;
			}
			//登录失败
			if(localhost)
			{
				
				char *logname;
				char *ip;
				char *prc_id;
				char logon_type[50];
				char temp[256];
				memset(temp,0,256);
				memset(logoninfo.date,0,256);
				memset(logoninfo.logon_type,0,256);
				memset(logoninfo.logon_rs,0,256);
				memset(logoninfo.logon_ip,0,256);
				memset(logoninfo.user,0,256);
				memset(logoninfo.pr_id,0,32);
				memset(logoninfo.logname,0,256);
				strcpy(logoninfo.date,date);
				strcpy(logoninfo.logon_rs,"fail");
				char * templocal;
				templocal=strchr(des,' ')+1;
				strcpy(temp,templocal);
				//cout<<des<<endl;
				//cout<<temp<<endl;
				templocal=strchr(temp,':');
				strcpy(des,templocal);
				memset(logon_type,0,50);
				memcpy(logon_type,temp,strlen(temp)-strlen(des));
				prc_id=strchr(logon_type,'[');
				if(prc_id)
				{
					char t[256];
					char prc[32];
					memset(prc,0,32);
					memset(t,0,256);
					memcpy(t,logon_type,strlen(logon_type)-strlen(prc_id));
					//strcpy(temp,prc_id);
					strcpy(logoninfo.logon_type,t);
					memset(t,0,256);
					strcpy(t,prc_id);
				
					prc_id=strchr(t,']');
					//memset(t,0,256);
					memcpy(prc,t,strlen(t)-strlen(prc_id));
					prc_id=strchr(prc,'[')+1;
					strcpy(t,prc_id);
					strcpy(logoninfo.pr_id,t);
				
				}
				char *type=strstr(des,"pam_unix(");
				if(type)
				{
					strcpy(des,type);
					type=strchr(des,')');

					memcpy(logon_type,des,strlen(des)-strlen(type));
					type=strrchr(logon_type,'(')+1;
					strcpy(logoninfo.logon_type,type);
				}
			
				char dest[256];
				char username[256];
				char rhost[256];
				//cout<<des<<endl;	
				logname=strstr(des,"logname=");
				if(logname)
				{
					strcpy(dest,logname);
				}
				if(logname)
				{
					logname=strchr(dest,'=')+1;
					strcpy(dest,logname);
				}
				if(logname)
				{
					logname=strchr(dest,' ')+1;
					memset(username,0,256);
					memcpy(username,dest,strlen(dest)-strlen(logname)-1);
					//cout<<username<<endl;
					strcpy(logoninfo.logname,username);
				
					strcpy(dest,logname);
					//cout<<dest<<endl;
				}
				if(ip)
				{
					ip=strstr(dest,"rhost=");

					strcpy(dest,ip);
				}
				ip=strchr(dest,'=')+1;
				if(ip)
				{
					strcpy(dest,ip);
				}
				ip=strchr(dest,' ')+1;
				if(ip)
				{
					memset(rhost,0,256);
					memcpy(rhost,dest,strlen(dest)-strlen(ip)-1);
					strcpy(logoninfo.logon_ip,rhost);
					//cout<<logoninfo.logon_ip<<endl;
					//cout<<ip<<endl;
					strcpy(dest,ip);
				}
				if(strlen(dest)>1)
				{
					char* username1=strrchr(des,'=')+1;

					//cout<<dest<<endl;
					memcpy(dest,username1,strlen(username1));
					
					memcpy(logoninfo.user,username1,strlen(username1));
					

				}
				char* strsql1 = new char[4096];
				sprintf(strsql1,"insert into linux_logon_log_bysecure(""id,""logon_type,""prc_id,""logname,""logon_user,""logon_ip,""logon_rs,""logon_date,""abnormal_flag,""mac_address,"
				"event_task_id) values('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",struuid,logoninfo.logon_type,logoninfo.pr_id,logoninfo.logname,logoninfo.user,logoninfo.logon_ip,logoninfo.logon_rs,date1,"1",Mac,eventId );
				ret = sqlite3_exec(db,strsql1,NULL,NULL,&err_msg);
				//cout<<"localhost"<<strsql1<<endl;
				if (0 != ret) 
				{
				//cout<<strsql1<<endl;
				   // cout<<"linux_user_command err"<<endl;
				    cout<<err_msg<<endl;
				}
				delete []strsql1;
				strsql1 = NULL;
			
			}
memset(buf1, 0, sizeof(buf1));
		//strcpy(tempbuf,buf1);
		}
		
		
		fclose(fp1);
		if(strstr(buf,"test"))
		{
		 system("rm ./test");
		}
	}
	fclose(fp);
	system("rm ./dir");	
}
void Getbtmp(sqlite3 *db, char * Mac, char *eventId)
{
	system("sudo lastb> login");
	char *err_msg;
    	int ret;
	LOGINLOG login;

	char *fileName = "./login";
	FILE *fp = NULL;
	fp = fopen(fileName, "r");
	if(fp == NULL)
	{
		perror("open file failed");
		return;
	}
	char *p;
	char * p1;

	char buf[1024];
	memset(buf, 0, sizeof(buf));
	while(fgets(buf, 1024-1, fp) != NULL)
	{
		if(strlen(buf)==1)
		{
			break;
		}
		memset(&login,0,sizeof(login));
		p =strstr(buf," ");
		memcpy(login.login_user,buf,strlen(buf)-strlen(p));
		strcpy(buf,p);
		p= ltrim(buf);
		strcpy(buf,p);
		p =strchr(buf,' ');
		memcpy(login.login_utline,buf,strlen(buf)-strlen(p));
		p =strstr(buf," ");
		strcpy(buf,p);
		p= ltrim(buf);
		p =strchr(buf,' ');
		
		memcpy(login.login_ip,buf,strlen(buf)-strlen(p));

		p =strstr(buf," ");
		strcpy(buf,p);
		p= ltrim(buf);
		
		strcpy(login.login_date,p);
		 char struuid[36] = {0};
		uuid_t uuid;
		uuid_generate(uuid);
		uuid_unparse(uuid, struuid);
		string suuid(struuid);
		suuid.erase(remove(suuid.begin(), suuid.end(), '-'));
		memset(struuid, 0, sizeof(struuid));
		strncpy(struuid, suuid.c_str(), 32);
		
		//把内容输入到sqlite3数据库中
	/*	char* strsql = new char[4096];
		
		sprintf(strsql,"insert into Linux_logon_log("
		"id,"
		"login_ip,"
		"login_date,"
		"login_user_name,"
		"login_utline,"

		"mac_address,"
		"event_task_id) values('%s','%s','%s','%s','%s','%s','%s')",
		struuid,
		login.login_ip,
		login.login_date,
		login.login_user,
		login.login_utline,
		Mac,
		eventId );
       

        ret = sqlite3_exec(db,strsql,NULL,NULL,&err_msg);
	cout<<strsql<<endl;
        if (0 != ret) 
        {
            cout<<"sqlite3_exec-insert err"<<endl;
            cout<<err_msg<<endl;
        }
        delete []strsql;
        strsql = NULL;
	}
	fclose(fp);

 	*/
}
	system("rm login");
}
void Getwtmp(sqlite3 *db, char * Mac, char *eventId)
{
	system("sudo who /var/log/wtmp > login");
	char *err_msg;
    	int ret;
	LOGINLOG login;
	
	char *fileName = "./login";
	FILE *fp = NULL;
	fp = fopen(fileName, "r");
	if(fp == NULL)
	{
		perror("open file failed");
		return;
	}
	char *p;
	char * p1;
	
	char buf[1024];
	memset(buf, 0, sizeof(buf));
	while(fgets(buf, 1024-1, fp) != NULL)
	{
		//cout<<buf<<endl;
		memset(&login,0,sizeof(login));
		p =strstr(buf," ");
		memcpy(login.login_user,buf,strlen(buf)-strlen(p));
		strcpy(buf,p);
		p= ltrim(buf);
		strcpy(buf,p);
		p =strchr(buf,' ');
		memcpy(login.login_utline,buf,strlen(buf)-strlen(p));
		p =strstr(buf," ");
		strcpy(buf,p);
		p= ltrim(buf);
		p =strrchr(buf,' ');
		
		p1 =strrchr(buf,' ')+2;
		memcpy(login.login_date,buf,strlen(buf)-strlen(p));
		
		p =strchr(p1,')');
		
		memcpy(login.login_ip,p1,strlen(p1)-strlen(p));
		//cout<<login.login_ip<<endl;

		 char struuid[36] = {0};
		uuid_t uuid;
		uuid_generate(uuid);
		uuid_unparse(uuid, struuid);
		string suuid(struuid);
		suuid.erase(remove(suuid.begin(), suuid.end(), '-'));
		memset(struuid, 0, sizeof(struuid));
		strncpy(struuid, suuid.c_str(), 32);

		//把内容输入到sqlite3数据库中
		char* strsql = new char[4096];
		
		sprintf(strsql,"insert into Linux_logon_log("
		"id,"
		"login_ip,"
		"login_date,"
		"login_user_name,"
		"login_utline,"

		"mac_address,"
		"event_task_id) values('%s','%s','%s','%s','%s','%s','%s')",
		struuid,
		login.login_ip,
		login.login_date,
		login.login_user,
		login.login_utline,
		Mac,
		eventId );
       

        ret = sqlite3_exec(db,strsql,NULL,NULL,&err_msg);
	//cout<<strsql<<endl;
        if (0 != ret) 
        {
            cout<<"sqlite3_exec-insert err"<<endl;
            cout<<err_msg<<endl;
        }
        delete []strsql;
        strsql = NULL;
       
    }
   
	fclose(fp);
	system("rm  login");
}
void Getwtmporutmp(sqlite3 *db, char * Mac, char *eventId)
{
     sqlite3_os_init();
    //char* filename = new char[256];
    //strcpy(filename,"./hongtan004_linux.db");
    //sqlite3 *db=NULL;
    int rc;
    //rc = sqlite3_open(filename,&db);
    //if(rc)
    //{
    //    printf("open sqlite file %s fail\n",filename);
    //    return ;
    //}
    //else
    //{
    //    printf("open sqlite file %s succeed\n",filename);
    //    
    //}
    struct utmp p;
  //  int fhd = open("/var/log/btmp",O_RDONLY);
     int fhd = open("/var/run/utmp",O_RDONLY);
    
    char *err_msg;
    int ret = sqlite3_exec(db,"delete from Linux_Login_Log",NULL,NULL,&err_msg);
    if (0 != ret) 
    {
        cout<<"sqlite3_exec-delete err"<<endl;
        cout<<err_msg<<endl;
    }
    while(read(fhd,&p,sizeof(p)))
    {
        string tempstr;
        if(p.ut_type == EMPTY)
        {
            tempstr = "此为空的记录";
        }
        else if(p.ut_type == RUN_LVL)
        {
            tempstr = "记录系统run－level 的改变";
        }
        else if(p.ut_type == BOOT_TIME)
        {
            tempstr = "记录系统开机时间";
        }
        else if(p.ut_type == NEW_TIME)
        {
            tempstr = "记录系统时间改变后的时间";
        }
        else if(p.ut_type == OLD_TIME)
        {
            tempstr = "记录当改变系统时间时的时间";
        }
        else if(p.ut_type == INIT_PROCESS)
        {
            tempstr = "记录一个由init 衍生出来的进程";
        }
        else if(p.ut_type == LOGIN_PROCESS)
        {
            tempstr = "记录 login 进程";
        }
        else if(p.ut_type == USER_PROCESS)
        {
            tempstr = "记录一般进程";
        }
        else if(p.ut_type == DEAD_PROCESS)
        {
            tempstr = "记录一结束的进程";
        }
        else if(p.ut_type == ACCOUNTING)
        {
            tempstr = "目前尚未使用" ;
        }
        else{
            tempstr = "错误的数据";
        }
         char s[100];
         struct tm *q;
         //时区转化 + 8个小时
         time_t t = p.ut_tv.tv_sec -25200;
         q = gmtime(&t);
         //strftime(s, sizeof(s), "%Y-%m-%d %H:%M:%S",q);   
        snprintf(s, 100-1, "%04d-%02d-%02d %02d:%02d:%02d", q->tm_year+1900, q->tm_mon+1, q->tm_mday, q->tm_hour, q->tm_min, q->tm_sec);
        //生成唯一uuid
        //boost::uuids::uuid a_uuid = boost::uuids::random_generator()();
        //const string tmp_uuid = boost::uuids::to_string(a_uuid);
        char struuid[36] = {0};
        uuid_t uuid;
        uuid_generate(uuid);
        uuid_unparse(uuid, struuid);
        string suuid(struuid);
        suuid.erase(remove(suuid.begin(), suuid.end(), '-'));
        memset(struuid, 0, sizeof(struuid));
        strncpy(struuid, suuid.c_str(), 32);

        //把内容输入到sqlite3数据库中
        char* strsql = new char[4096];
        char* stradd = new char[32];
        sprintf(stradd,"%d.%d.%d.%d",p.ut_addr_v6[0],p.ut_addr_v6[1],p.ut_addr_v6[2],p.ut_addr_v6[3]);
        sprintf(strsql,"insert into Linux_Login_Log("
        "id,"
        "ut_type,"
        "ut_pid,"
        "ut_line,"
        "ut_id,"
        "ut_user,"
        "ut_host,"
        "e_termination,"
        "e_exit,"
        "ut_session,"
        "ut_tv,"
        "ut_addr,"
        "sus_ip_id,"
        "mac_address,"
        "event_task_id) values('%s','%s','%d','%s','%s','%s','%s','%d','%d','%d','%s','%s','%s','%s','%s')",
        struuid,
        tempstr.c_str(),
        p.ut_pid,
        p.ut_line,
        p.ut_id,
        p.ut_user,
        p.ut_host,
        0,
        0,
        p.ut_session,
        s,//p.ut_tv,
        stradd,
        "",
        Mac,
        eventId
        );
//cout<<strsql<<"denglurizhi"<<endl;
        ret = sqlite3_exec(db,strsql,NULL,NULL,&err_msg);
        if (0 != ret) 
        {
            cout<<"sqlite3_exec-insert err"<<endl;
            cout<<err_msg<<endl;
        }
        delete []strsql;
        strsql = NULL;
        delete []stradd;
        stradd = NULL;
    }
    close(fhd);

  //  fhd = open("/var/log/btmp",O_RDONLY);
        fhd = open("/var/log/btmp",O_RDONLY);
    while(read(fhd,&p,sizeof(p)))
    {
        string tempstr;
        if(p.ut_type == EMPTY)
        {
            tempstr = "此为空的记录";
        }
        else if(p.ut_type == RUN_LVL)
        {
            tempstr = "记录系统run－level 的改变";
        }
        else if(p.ut_type == BOOT_TIME)
        {
            tempstr = "记录系统开机时间";
        }
        else if(p.ut_type == NEW_TIME)
        {
            tempstr = "记录系统时间改变后的时间";
        }
        else if(p.ut_type == OLD_TIME)
        {
            tempstr = "记录当改变系统时间时的时间";
        }
        else if(p.ut_type == INIT_PROCESS)
        {
            tempstr = "记录一个由init 衍生出来的进程";
        }
        else if(p.ut_type == LOGIN_PROCESS)
        {
            tempstr = "记录 login 进程";
        }
        else if(p.ut_type == USER_PROCESS)
        {
            tempstr = "记录一般进程";
        }
        else if(p.ut_type == DEAD_PROCESS)
        {
            tempstr = "记录一结束的进程";
        }
        else if(p.ut_type == ACCOUNTING)
        {
            tempstr = "目前尚未使用" ;
        }
        else{
            tempstr = "错误的数据";
        }
         char s[100];
         struct tm *q;
         //时区转化 + 8个小时
         time_t t = p.ut_tv.tv_sec-25200;
         q = gmtime(&t);
         //strftime(s, sizeof(s), "%Y-%m-%d %H:%M:%S",q);   
        snprintf(s, 100-1, "%04d-%02d-%02d %02d:%02d:%02d", q->tm_year+1900, q->tm_mon+1, q->tm_mday, q->tm_hour, q->tm_min, q->tm_sec);
        //生成唯一uuid
        /*
        boost::uuids::uuid a_uuid = boost::uuids::random_generator()();
        const string tmp_uuid = boost::uuids::to_string(a_uuid);
        */
        char struid[36] = {0};
        uuid_t uuid;
        uuid_generate(uuid);
        uuid_unparse(uuid, struid);
        string temp(struid);
        temp.erase(remove(temp.begin(), temp.end(), '-'));
        memset(struid, 0, sizeof(struid));
        strncpy(struid, temp.c_str(), 32);


        //把内容输入到sqlite3数据库中
        char* strsql = new char[4096];
        char* stradd = new char[32];
sprintf(strsql,"insert into Linux_logon_log("
		"id,"
		"login_ip,"
		"login_date,"
		"login_user_name,"
		"login_utline,"

		"mac_address,"
		"event_task_id) values('%s','%s','%s','%s','%s','%s','%s')",
		struid,
		p.ut_host,
		s,
		p.ut_user,
		p.ut_line,
		Mac,
		eventId );
       
        sprintf(stradd,"%d.%d.%d.%d",p.ut_addr_v6[0],p.ut_addr_v6[1],p.ut_addr_v6[2],p.ut_addr_v6[3]);

      
        ret = sqlite3_exec(db,strsql,NULL,NULL,&err_msg);
        if (0 != ret) 
        {
            cout<<"sqlite3_exec-insert err2"<<endl;
            cout<<err_msg<<endl;
        }
        delete []strsql;
        strsql = NULL;
        delete []stradd;
        stradd = NULL;
    }
    close(fhd);
fhd = open("/var/log/wtmp",O_RDONLY);
    
    while(read(fhd,&p,sizeof(p)))
    {
        string tempstr;
        if(p.ut_type == EMPTY)
        {
            tempstr = "此为空的记录";
        }
        else if(p.ut_type == RUN_LVL)
        {
            tempstr = "记录系统run－level 的改变";
        }
        else if(p.ut_type == BOOT_TIME)
        {
            tempstr = "记录系统开机时间";
        }
        else if(p.ut_type == NEW_TIME)
        {
            tempstr = "记录系统时间改变后的时间";
        }
        else if(p.ut_type == OLD_TIME)
        {
            tempstr = "记录当改变系统时间时的时间";
        }
        else if(p.ut_type == INIT_PROCESS)
        {
            tempstr = "记录一个由init 衍生出来的进程";
        }
        else if(p.ut_type == LOGIN_PROCESS)
        {
            tempstr = "记录 login 进程";
        }
        else if(p.ut_type == USER_PROCESS)
        {
            tempstr = "记录一般进程";
        }
        else if(p.ut_type == DEAD_PROCESS)
        {
            tempstr = "记录一结束的进程";
        }
        else if(p.ut_type == ACCOUNTING)
        {
            tempstr = "目前尚未使用" ;
        }
        else{
            tempstr = "错误的数据";
        }
         char s[100];
         struct tm *q;
         //时区转化 + 8个小时
         time_t t = p.ut_tv.tv_sec -25200;
         q = gmtime(&t);
         //strftime(s, sizeof(s), "%Y-%m-%d %H:%M:%S",q);   
        snprintf(s, 100-1, "%04d-%02d-%02d %02d:%02d:%02d", q->tm_year+1900, q->tm_mon+1, q->tm_mday, q->tm_hour, q->tm_min, q->tm_sec);
        //生成唯一uuid
        /*
        boost::uuids::uuid a_uuid = boost::uuids::random_generator()();
        const string tmp_uuid = boost::uuids::to_string(a_uuid);
        */
        char strUuid[36] = {0};
        uuid_t uuid;
        uuid_generate(uuid);
        uuid_unparse(uuid, strUuid);
        string temp(strUuid);
        temp.erase(remove(temp.begin(), temp.end(), '-'));
        memset(strUuid, 0, sizeof(strUuid));
        strncpy(strUuid, temp.c_str(), 32);


        //把内容输入到sqlite3数据库中
        char* strsql = new char[4096];
        char* stradd = new char[32];
        sprintf(stradd,"%d.%d.%d.%d",p.ut_addr_v6[0],p.ut_addr_v6[1],p.ut_addr_v6[2],p.ut_addr_v6[3]);
        sprintf(strsql,"insert into Linux_Login_Log("
        "id,"
        "ut_type,"
        "ut_pid,"
        "ut_line,"
        "ut_id,"
        "ut_user,"
        "ut_host,"
        "e_termination,"
        "e_exit,"
        "ut_session,"
        "ut_tv,"
        "ut_addr,"
        "sus_ip_id,"
        "mac_address,"
        "event_task_id) values('%s','%s','%d','%s','%s','%s','%s','%d','%d','%d','%s','%s','%s','%s','%s')",
        strUuid,
        tempstr.c_str(),
        p.ut_pid,
        p.ut_line,
        p.ut_id,
        p.ut_user,
        p.ut_host,
        0,
        0,
        p.ut_session,
        s,//p.ut_tv,
        stradd,
        "",
        Mac,
        eventId
        );
        ret = sqlite3_exec(db,strsql,NULL,NULL,&err_msg);
        if (0 != ret) 
        {
            cout<<"sqlite3_exec-insert err2"<<endl;
            cout<<err_msg<<endl;
        }
        delete []strsql;
        strsql = NULL;
        delete []stradd;
        stradd = NULL;
    }
    close(fhd);
    //sqlite3_close(db);
    //delete []filename;
    //filename = NULL;
}

void Gethistory()
{
	//system("export HISTTIMEFORMAT='%F %T--yundun--'");
	//system("./history.sh");
    system("cp ~/.bash_history ./history");
}


/*
void listFiles(const char * dir)
{
    intptr_t handle;
    _finddata_t findData;

    handle = _findfirst(dir, &findData);    // 查找目录中的第一个文件
    if (handle == -1)
    {
        cout << "Failed to find first file!\n";
        return;
    }

    do
    {
        if (findData.attrib & _A_SUBDIR
            && strcmp(findData.name, ".") == 0
            && strcmp(findData.name, "..") == 0
            )    // 是否是子目录并且不为"."或".."
            cout << findData.name << "\t<dir>\n";
        else
            cout << findData.name << "\t" << findData.size << endl;
    } while (_findnext(handle, &findData) == 0);    // 查找目录中的下一个文件

    cout << "Done!\n";
    _findclose(handle);    // 关闭搜索句柄
}
*/

/*
void GetFileInfo()
{

    intptr_t handle;
    _finddata_t findData;

    handle = _findfirst(dir, &findData);    // 查找目录中的第一个文件
    if (handle == -1)
    {
        cout << "Failed to find first file!\n";
        return;
    }

    do
    {
        if (findData.attrib & _A_SUBDIR
            && strcmp(findData.name, ".") == 0
            && strcmp(findData.name, "..") == 0
            )    // 是否是子目录并且不为"."或".."
            cout << findData.name << "\t<dir>\n";
        else
            cout << findData.name << "\t" << findData.size << endl;
    } while (_findnext(handle, &findData) == 0);    // 查找目录中的下一个文件

    cout << "Done!\n";
    _findclose(handle);    // 关闭搜索句柄
}
*/

/*
int main(int argc, char** argv)
{
    //Getwtmporutmp();
    //获取系统日志
    //listFiles(\*);
    //Gethistory();
    //获取所有文件信息
    return 0;
}
*/
